b"  DEPARTMENT OF HOMELAND SECURITY\n\n        Office of Inspector General\n\n\n     Evaluation of DHS\xe2\x80\x99 Information Security \n\n          Program for Fiscal Year 2006 \n\n\n\n\n\n       Office of Information Technology\n\nOIG-06-62                       September 2006\n\x0c\x0cTable of Contents/Abbreviations \n\n\n  Executive Summary ....................................................................................................................... 1 \n\n\n  Background .................................................................................................................................... 3 \n\n\n  Results of Independent Evaluation ................................................................................................ 7 \n\n\n  Recommendations........................................................................................................................ 15 \n\n\n  Management Comments and OIG Analysis ................................................................................ 16 \n\n\nAppendices\n  Appendix A:                Purpose, Scope, and Methodology.................................................................. 18 \n\n  Appendix B:                Management Response to Draft Report ......................................................... 20 \n\n  Appendix C:                Digital Dashboard Example............................................................................ 24 \n\n  Appendix D:                IT Security Scorecard and C&A Remediation Progress Report .................... 26 \n\n  Appendix E:                System Inventory and IT Security Performance............................................. 27 \n\n  Appendix F:                OIG Assessment of the Plan of Action and Milestones Process .................... 30 \n\n  Appendix G:                OIG Assessment of the Certification and Accreditation Process ................... 31 \n\n  Appendix H:                Agencywide Security Configuration Requirements ....................................... 32 \n\n  Appendix I:                Incident Detection and Handling Procedures ................................................. 33 \n\n  Appendix J:                Security Training Procedures.......................................................................... 34 \n\n  Appendix K:                Major Contributors to this Report................................................................... 35 \n\n  Appendix L:                Report Distribution ......................................................................................... 36 \n\n\nAbbreviations\n  ATO                        Authority to Operate    \n\n  C&A                        Certification and Accreditation   \n\n  CBP                        United States Customs and Border Protection \n\n  CIO                        Chief Information Officer \n\n  CIS                        United States Citizenship and Immigration Services \n\n  CISO                       Chief Information Security Officer   \n\n  CONOPS                     Concept of Operations     \n\n  CSIRC                      Computer Security Incident Response Center      \n\n  DHS                        Department of Homeland Security     \n\n  FEMA                       Federal Emergency Management Agency         \n\n  FIPS                       Federal Information Processing Standard    \n\n  FISMA                      Federal Information Security Management Act       \n\n  FLETC                      Federal Law Enforcement Training Center       \n\n  FY                         Fiscal Year \n\n  ICE                        United States Immigration and Customs Enforcement \n\n\n                             Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006\n\x0cTable of Contents/Abbreviations \n\n  ISSM           Information Systems Security Manager\n  ISSO           Information Systems Security Officer\n  IT             Information Technology\n  NIST           National Institute of Standards and Technology\n  NOC            Network Operations Center\n  OIG            Office of Inspector General\n  OMB            Office of Management and Budget\n  POA&M          Plan of Action and Milestones\n  Preparedness   Directorate for Preparedness\n  RFID           Radio Frequency Identification\n  RMS            Risk Management System\n  SBU            Sensitive But Unclassified\n  S&T            Science and Technology\n  SOC            Security Operations Center\n  SP             Special Publication\n  TSA            Transportation Security Administration\n  TWIC           Transportation Worker Identification Credential\n  US-CERT        United States Computer Emergency Readiness Team\n  USCG           United States Coast Guard\n  USSS           United States Secret Service\n  US-VISIT       United States Visitor and Immigrant Status Indicator Technology\n\n\n\n\n                 Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006\n\x0cOIG \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                           We conducted an independent evaluation of the Department of Homeland\n                           Security\xe2\x80\x99s (DHS) information security program and practices to comply\n                           with the Office of Management and Budget\xe2\x80\x99s (OMB) Federal Information\n                           Security Management Act (FISMA) of 2002 reporting requirements.1 We\n                           evaluated DHS\xe2\x80\x99 progress in implementing its agencywide information\n                           security program. In doing so, we specifically assessed DHS\xe2\x80\x99 Plan of\n                           Action and Milestones (POA&M) as well as its certification and\n                           accreditation (C&A) processes. We performed our work at both the\n                           program and the component levels.\n\n                           In response to a United States House of Representatives, Committee on\n                           Appropriations report, DHS implemented a department-wide remediation\n                           plan to certify and accredit all operational systems by the end of Fiscal\n                           Year (FY) 2006.2 The completion of this plan will eliminate a major\n                           factor that held the Department back from strengthening its security\n                           program in prior years.\n\n                           In addition, some of the issues that we identified and recommendations\n                           made in our FY 2005 report, to assist DHS and its components in the\n                           implementation of its information program, have been addressed. Some of\n                           the measures taken include developing a process to maintain a\n                           comprehensive inventory and increasing the number of operational\n                           systems that have been certified and accredited.\n\n                           Despite several improvements in DHS\xe2\x80\x99 information security program in\n                           the past year, DHS components, through their Information Systems\n                           Security Managers (ISSM), have not completely aligned their respective\n                           information security programs with DHS\xe2\x80\x99 overall policies, procedures, and\n                           practices. For example:\n\n                           \xe2\x80\xa2 \t All DHS systems have not been properly certified and accredited.\n                           \xe2\x80\xa2 \t All components\xe2\x80\x99 information security weaknesses are not included in a\n                                POA&M.\n                           \xe2\x80\xa2 \t Data in the enterprise management tool, Trusted Agent FISMA, is not\n                                complete or current.\n\n1\n    FISMA is included under Title III of the E-Government Act (Public Law 107-347).\n2\n    House Report 109-079 \xe2\x80\x93 Department of Homeland Security Appropriations Bill, 2006.\n\n                             Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                       Page 1 \n\n\x0c\xe2\x80\xa2     System contingency plans have not been tested for all systems.\n\nWhile DHS has issued substantial guidance designed to create and\nmaintain secure systems, we identified areas where the implementation of\nagencywide information security procedures require strengthening: (1)\ncertification and accreditation; (2) plan of action and milestones; (3)\nsecurity configurations; (4) vulnerability testing and remediation; (5)\ncontingency plan testing; (6) incident detection, analysis, and reporting;\nand (7) specialized security training.\n\nIn response to our draft report, DHS concurred with our recommendations\nand is in the process of implementing corrective measures. DHS\xe2\x80\x99\nresponse is summarized and evaluated in the body of this report and\nincluded, in its entirety, as Appendix B.\n\n\n\n\n    Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                              Page 2 \n\n\x0cBackground\n                            Due to the increasing threat to information systems and the highly\n                            networked nature of the federal computing environment, Congress, in\n                            conjunction with OMB, requires an annual review and reporting of\n                            agencies\xe2\x80\x99 compliance with FISMA. FISMA focuses on the program\n                            management, implementation, and evaluation of the security of\n                            unclassified and national security systems.3\n\n                            The E-Government Act of 2002 (Public Law 107-347) recognized the\n                            importance of information security to the economic and national security\n                            interests of the United States.4 Title III of the E-Government Act, entitled\n                            FISMA, provides a comprehensive framework to ensure the effectiveness\n                            of security controls over information resources that support federal\n                            operations and assets.\n\n                            FISMA requires each federal agency to develop, document, and\n                            implement an agencywide security program. The agency\xe2\x80\x99s security\n                            program should protect the information and the information systems that\n                            support the operations and assets of the agency, including those provided\n                            or managed by another agency, contractor, or other source. As specified\n                            in FISMA, agency heads are charged with conducting an annual\n                            evaluation of information programs and systems under their purview, as\n                            well as assessments of related security policies and procedures. Offices of\n                            Inspector General (OIG) must independently evaluate the effectiveness of\n                            an agency\xe2\x80\x99s information security program and practices on an annual\n                            basis.\n\n                            OMB issued memorandum M-06-20, FY 2006 Reporting Instructions for\n                            the Federal Information Security Management Act and Agency Privacy\n                            Management, on July 17, 2006. The memorandum provides updated\n                            instructions for agency and OIG reporting under FISMA. This annual\n                            evaluation summarizes, according to OMB\xe2\x80\x99s instructions, the results of\n                            our review of DHS\xe2\x80\x99 information security program and practices.\n\n3\n  The term \xe2\x80\x9cnational security system\xe2\x80\x9d means any information system, including any telecommunications system,\n   used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency:\n  (i) \t The function, operation, or use of which involves intelligence activities; involves cryptographic activities \n\n         related to national security; involves command and control of military forces; involves equipment that is an\n\n         integral part of a weapon or weapons system; or is critical to the direct fulfillment of military intelligence \n\n         missions (excluding a system that is to be used for routine administrative and business applications, i.e.,\n\n         payroll, finance, logistics, and personnel management applications), or \n\n  (ii) is protected at all times by procedures established for information that have been specifically authorized under\n        criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national\n        defense or foreign policy.\n4\n  Information security means protecting information and information systems from unauthorized access, use,\ndisclosure, disruption, modification, or destruction.\n\n                              Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                          Page 3 \n\n\x0c                             The Chief Information Security Officer (CISO) revised the baseline\n                             information technology (IT) security policies and procedures in the DHS\n                             Sensitive Systems Policy Directive 4300A and its companion, DHS 4300B\n                             Sensitive Systems Handbook, and DHS National Security Systems Policy\n                             Directive 4300B and its companion, DHS 4300B National Security\n                             Systems Handbook,5 to include updated policy on certification and\n                             accreditation, wireless communication, and configuration management.\n                             Other changes included guidance for tailoring National Institute of\n                             Standards and Technology (NIST) Special Publication (SP) 800-53\n                             controls based on the impact level established for each security objective\n                             (confidentiality, integrity, availability) and mandating that the components\n                             implement NIST SP 800-53 controls for all operational systems by\n                             March 2007. Additionally, DHS issued the DHS Certification and\n                             Accreditation Guidance for Sensitive But Unclassified (SBU) Systems\n                             User\xe2\x80\x99s Manual,6 which provides the components with the necessary\n                             guidance and procedures to complete the C&A for SBU systems.\n                             Together, these policies and procedures - if fully implemented by the\n                             components - should provide DHS with an effective information security\n                             program that complies with FISMA requirements.\n\n                             DHS has developed a process for reporting and capturing known security\n                             weaknesses in POA&Ms. DHS uses an enterprise management tool,\n                             Trusted Agent FISMA, to collect and track data related to all POA&M\n                             activities, including self-assessments, and certification and accreditation\n                             data. Trusted Agent FISMA also collects data on other FISMA metrics,\n                             such as the number of systems that have contingency plans, systems with\n                             contingency plans tested, systems certified and accredited, employees who\n                             have received IT security training, and incident response statistics. See\n                             Figure 1 for DHS\xe2\x80\x99 POA&M process.\n\n\n\n\n5\n    The latest versions are dated June 1, 2006.\n6\n    Dated May 5, 2006.\n\n                               Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                         Page 4 \n\n\x0c                                              Figure 1: DHS\xe2\x80\x99 POA&M Process\n\n                                                                              An IT Security Weakness,\n                                                                                Material Weakness, or\n                                                                               Significant Deficiency is\n                                                           Weakness              identified, at either a\n                                                           Identified         program or a system level.                                                             ISSMs review, on a\n                                                                                                                                                              ISSM   quarterly basis, for\n                                                                                                                                                                     consistency and accuracy\n                                                                                                                                                                     within their OE\n                                                                                                                                        Quarterly\n                                                                                                                                     Reporting/Review                CISO submits quarterly\n                                                                                                                                                                     reports to OMB and\n                                                                                                                                                                     Congress\n                                  ISSOs ensure POA&M       Document\n                                  are entered into         Weakness\n                                  Trusted Agent FISMA.                                   Trusted FISMA Agent                             Annual\n                                                                                                                                     Reporting/Review\n                                                                             The OE's use the DHS Enterprise -wide tool,\n                                                                          Trusted Agent FISMA, for identifying and tracking\n                                                                                       all POA&Ms to closure.\n   The DHS CISO ensures that the agency's\n                                                                          For Sensitive Systems - The OE's document and\n         POA&M process represents a\n       prioritization of agency IT security                                manage POA&M's using Trusted Agent FI SMA.\n      weaknesses which ensures that IT                                    For Classified, Intelligence, and National Security\n                                                           Prioritize    Systems - The OE's maintain redacted POA&M data\n    security weaknesses are addressed in a\n                                                                              within Trusted Agent FISMA for enterprise\n       timely manner and receive, where\n       necessary, appropriate resources                                     management and oversight. Detailed POA&M\n                                                                           documentation is maintained off -line and made\n                                                                                      readily available to auditors.\n\n\n\n                                                                                  ISSOs\n                                                            POA&M                 develop, track\n                                                         Developed and            and manage\n                                                          Documented              POA&Ms for\n                                                                                  systems                           ISSMs ensure the use of Trusted Agent\n                                                                                  under their                       FISMA to develop, track, and manage the\n                                                                                  control.                 ISSM     remediation of IT system and program\n                                                                                                                    weaknesses within their OE\n\n\n\n                                                             Take\n                                                           Corrective\n                                                            Action\n\n                                                                           Repeat until all of the\n                                                                           milestones have been\n                                                                           completed for each\n                                                                           weakness.\n                   Independent review conducted\n                   by Compliance and Oversight               Track\n                   Program within the Office of the       Corrective\n                   CISO                                   Action(s) to\n                                                          Completion\n\n\n                                                                          Complete Monthly\n                                                                          Updates within Trusted\n                                                           Monthly        Agent FISMA\n                                                          Reviews of\n                                                          weaknesses\n                                                         and milestone\n                                                             data                 ISSOs ensure POA&M are\n                                                                                  current as documented in\n                                                                                  Trusted Agent FISMA\n\n\nSource: DHS 4300A Sensitive Systems Handbook \xe2\x80\x93 Attachment H - POA&M Process Guide\n\n\n                                              DHS also uses an enterprise C&A tool, Risk Management System (RMS),\n                                              to automate and standardize portions of the C&A process to assist the\n                                              DHS components to quickly and efficiently develop security accreditation\n                                              packages. See Figure 2 for an illustration on how the enterprise\n                                              management and C&A tools are used within the Department to collect,\n                                              manage, and report information security metrics.\n\n\n\n\n                                                Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                                                       Page 5 \n\n\x0c                            Figure 2: DHS\xe2\x80\x99 Enterprise Security Management Tools Usage\n\n                                  DHS 4300                                        C&A Tool                                        Data Review Teams\n\n                             FISMA Requirements                          System Security Plan (SSP)                                     DHS\n                                                                                                                                     Compliance\n                             OMB/NIST Guidance                      Requirements Traceability Matrix (RTM)                             Review\n                                                                                                                                       Teams\n                                                                      Security Assessment Report (SAR)\n                              Other Requirements\n                                                                           Sample Test Procedures\n                                       Component IT Security                                                                            OIG\n                                       Program Implementation                    Test Results\n\n                                                                              Contingency Plans               Data Verification\n                                                  IT System                                                       and Review\n                                             Implementations                                                                         Component/\n                                                                                                                                      Domain\n                                                                                       Future Link                                     ISSM\n                                   DHS\n                                Component/\n                                                                         FISMA Reporting Tool\n                                  Domain\n\n                                                                     System and Program Security Metrics\n                                                 Monthly Status\n                                                 Updates            Plan of Action and Milestones (POA&M)\n                                                                                                             FISMA Reports              OMB\n                                                                      Annual Assessment Questionnaire\n\n                                                                        Summary of C&A Status/Docs\n\n                                                                                   Reports\n\n                                                                              Digital Dashboard               Metrics\n                                                                                                                                       DHS\n                                                                                                              Digital Dashboard     Management\n\n\n\n                            Source: DHS 4300A Sensitive Systems Handbook, Attachment E \xe2\x80\x93 FISMA Reporting\n\n\n\n                            DHS developed the FY 2006 DHS Information Security Certification and\n                            Accreditation (C&A) Remediation Plan to meet the Department\xe2\x80\x99s goal of\n                            100 percent C&A of all IT systems by September 30, 2006. The objective\n                            of the plan is to provide agencywide information security procedures to\n                            report on the progress of the C&A efforts within the Department. To\n                            manage the components\xe2\x80\x99 compliance with the C&A remediation plan, the\n                            CISO developed a \xe2\x80\x9cdigital dashboard,\xe2\x80\x9d which uses red, yellow, and green\n                            indicators to reflect the status of each component\xe2\x80\x99s percentage of\n                            compliance.7 The information used to develop the digital dashboard\n                            comes from data in Trusted Agent FISMA. See Appendix C for an\n                            example of the digital dashboard. A Department-wide IT Security\n                            Scorecard and C&A Remediation Progress Report was also developed to\n                            track the progress of the components and the Department in meeting its\n                            goal. See Appendix D for the July 2006 report.\n\n\n\n\n7\n  These metrics include the average C&A remediation scores of all inventory systems for each component.\nRemediation scoring concerns validated artifacts that are weighted according to their importance. Documents\ninclude a valid authority to operate letter, risk assessment, system security plan, security test and evaluation plan,\nsecurity assessment report, contingency plan, contingency plan test results, FIPS 199 security categorization\ndetermination, e-authentication, privacy threshold analysis, and security self-assessment.\n\n                             Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                                  Page 6 \n\n\x0cResults of Independent Evaluation\nWe separated the results of our evaluation into six FISMA reporting areas. For each area, we\nidentified progress that DHS has made since our FY 2005 evaluation and issues that need to be\naddressed to be successful in the FISMA area.\n\n              System Inventory and IT Security Performance\n\n                      DHS has established procedures to adequately maintain its system\n                      inventory and has also issued updated guidance to the components\n                      regarding many aspects of its IT security program including C&A and\n                      contingency planning.\n\n                      PROGRESS\n\n                      \xe2\x80\xa2 \t DHS has a comprehensive inventory of its major applications and\n                         general support systems, including contractor and national security\n                         systems. DHS identified 692 operational systems (as of\n                         September 15, 2006).\n                      \xe2\x80\xa2 \t DHS has developed an effective process to update and maintain its\n                         inventory on an annual basis for agency, contractors, and classified\n                         systems.\n                      \xe2\x80\xa2 \t DHS has performed self-assessments on 198 (96 percent) of its\n                         contractor systems as of September 15, 2006.\n                      \xe2\x80\xa2 \t DHS updated its Rules of Behavior in the DHS Handbook to include\n                         the prohibition of peer-to-peer file sharing or software for the purpose\n                         of sharing files.\n\n                      ISSUES TO BE ADDRESSED\n\n                      \xe2\x80\xa2 \t System contingency plans have not been tested for 301 (44 percent) of\n                         systems as of September 15, 2006.\n                      \xe2\x80\xa2 \t DHS cannot totally rely on all of the standard reports generated from\n                         Trusted Agent FISMA. The Chief Information Officer (CIO) has to\n                         validate some data (numbers of systems reviewed, number of systems\n                         for which security controls have been tested and evaluated in the last\n                         year) in the \xe2\x80\x9cSystem Inventory and IT Security Performance\xe2\x80\x9d report\n                         before providing it to OMB.\n\n                      See Appendix E for specific System Inventory and IT Security\n                      Performance data.\n\n\n\n                       Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                 Page 7 \n\n\x0cPlan of Action and Milestones Process\n\n      Although DHS has issued guidance and implemented a tool to capture and\n      track weaknesses, improvements continue to be needed in the\n      components\xe2\x80\x99 implementation of the POA&M process. The components\n      are not including all IT security weaknesses in the tool nor is all of the\n      data entered accurate and updated timely.\n\n      PROGRESS\n\n      \xe2\x80\xa2 \t DHS made numerous enhancements to Trusted Agent FISMA to make\n          it a more useful tool to manage its security program. Enhancements\n          included improved capability to prioritize POA&M weaknesses and\n          additional management reports to validate the integrity of the\n          information entered.\n      \xe2\x80\xa2 \t DHS conducted component site visits and Trusted Agent FISMA\n          training which included detailed reviews of the POA&M process, to\n          ensure the quality and completeness of the component\xe2\x80\x99s POA&M data.\n          DHS conducts quarterly reviews and reports its findings to the DHS\n          Compliance and Oversight Office and components.\n\n      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2 \t DHS\xe2\x80\x99 components have not created POA&Ms for all known security\n          weaknesses. As of June 8, 2006, 388 (55 percent) of the operational\n          systems had a POA&M in Trusted Agent FISMA. DHS requires\n          components to create at least one POA&M for every system. We\n          reviewed 27 operational systems that had not been accredited and\n          found 18 that did not have at least one POA&M (lack of a completed\n          C&A).\n      \xe2\x80\xa2 \t DHS relies on the component ISSMs and Information Systems\n          Security Officers (ISSOs) to ensure that POA&M information is\n          entered accurately and that weaknesses are resolved. Based on an\n          analysis of data in Trusted Agent FISMA as of June 8, 2006, the\n          ISSMs and ISSOs are not maintaining current information as to the\n          progress of security weakness remediation. The Office of the CISO\n          cannot effectively manage its security program without key\n          information being maintained accurately.\n                   Component\n                    \t          management was not updating all weaknesses\n                   when the estimated completion date had been delayed. Four\n                   hundred and seventy-seven (477) of the 3,566 open POA&Ms\n                   (13 percent) had estimated completion dates that were at least 3\n                   months past due (prior to March 8, 2006), including 37 that had\n                   an estimated completion date over 1 year old.\n\n        Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                  Page 8 \n\n\x0c                   Twenty-eight\n                    \t            open POA&Ms, which included 18 POA&Ms\n                   designated as high or medium criticality, did not have an\n                   estimated completion date entered in the system.\n                   Two\n                    \t    thousand four hundred and sixty-two (2,462) of the 3,566\n                   open POA&Ms (69 percent) did not include the resources\n                   required for remediation. For the remaining 1,104 POA&Ms\n                   that included required resources, 438 (40 percent) listed the\n                   cost of remediation as 1 dollar. The total estimated cost of\n                   remediation for the 1,104 POA&Ms is approximately\n                   $90.2 million. Because this amount represents less than one\n                   third of all open POA&Ms, the actual cost to remediate all\n                   weaknesses cannot be accurately budgeted by the components\n                   or the Department.\n      \xe2\x80\xa2 \t Not all POA&Ms are being resolved in a timely manner. As of\n          June 8, 2006, 182 of 3,566 open POA&Ms (5 percent), which included\n          91 designated as high criticality, reported estimated completion dates\n          that were more than 2 years after the identification of the weakness.\n      \xe2\x80\xa2 \t Some missing or incomplete data identified during DHS\xe2\x80\x99 quarterly\n          reviews of the components POA&Ms have not been corrected.\n          Examples that were identified included systems with an authority to\n          operate (ATO) but no POA&Ms and weaknesses without resources or\n          milestones. Many of the systems with incomplete or missing data\n          identified during the March 2006 review were also identified during\n          the June 2006 review.\n      \xe2\x80\xa2 \t The CISO has not begun to use POA&M priority levels to ensure the\n          timely resolution of critical weaknesses.\n\n      See Appendix F for the OIG Assessment of the POA&M Process.\n\nCertification and Accreditation Process\n\n      DHS requires components to use a department-wide tool that incorporates\n      NIST security controls to conduct their C&As. In using this tool,\n      components are required to apply NIST SP 800-53 security controls for all\n      system certifications begun after June 1, 2006. However, for many of the\n      systems reviewed, the artifacts that are required to support the C&A were\n      either missing or incomplete.\n\n      PROGRESS\n\n      \xe2\x80\xa2 \t DHS issued Certification and Accreditation Guidance for SBU\n          Systems to provide step-by-step instructions to the components to\n          perform system C&A.\n\n        Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                  Page 9 \n\n\x0c                           \xe2\x80\xa2 \t DHS developed a C&A Remediation Plan designed to have\n                                100 percent of its systems certified and accredited and contingency\n                                plans tested in FY 2006.\n                           \xe2\x80\xa2 \t DHS requires 11 C&A artifacts to be uploaded into Trusted Agent\n                                FISMA to monitor components\xe2\x80\x99 progress in meeting its C&A\n                                remediation plan goal.8 In addition, the CISO established a process to\n                                independently review and validate the artifacts in Trusted Agent\n                                FISMA.\n                           \xe2\x80\xa2 \t The CISO monitors components\xe2\x80\x99 progress through monthly scorecard\n                                reports. See Appendix D for the July 2006 report.\n                           \xe2\x80\xa2 \t Components are required to apply NIST SP 800-53 security controls\n                                for all system certifications begun after June 1, 2006.\n                           \xe2\x80\xa2 \t DHS has updated RMS to incorporate NIST SP 800-53 and Federal\n                                Information Processing Standard (FIPS) Publication 200 security\n                                controls.\n                           \xe2\x80\xa2 \t Beginning in February 2006, the DHS Privacy Office is responsible\n                                for validating Privacy Threshold Assessments and Privacy Impact\n                                Assessments for all systems.\n                           \xe2\x80\xa2 \t As of August 14, 2006, 77 percent of DHS\xe2\x80\x99 operational systems have\n                                been certified and accredited and obtained an ATO. This is an\n                                improvement over FY 2005 when 32 percent of the Department\xe2\x80\x99s\n                                systems had been certified and accredited.\n                           \xe2\x80\xa2 \t Many ISSMs have formal and informal processes in place to review\n                                C&A documentation for their systems.\n\n                           ISSUES TO BE ADDRESSED\n\n                           \xe2\x80\xa2 \t We selected 35 systems spanning 10 components (including 29\n                                systems with current ATOs) to evaluate the quality of DHS\xe2\x80\x99 C&A\n                                process. In 27 instances, the accreditation packages were incomplete.\n                                The C&A process requires documentation of system security plans,\n                                risk assessments, system test and evaluation plans, security assessment\n                                reports, contingency plans, and contingency plan test results.\n                                Specifically, systems were accredited, although some security\n                                documents were missing key information that is required to meet\n                                applicable DHS, OMB, and NIST guidelines. Without this\n                                information, agency officials cannot make credible risk-based\n                                decisions on whether to authorize the system to operate. For example,\n                                we identified the following:\n8\n The 11 artifacts are: ATO letter, system security plan, security assessment report, risk assessment, security test and\nevaluation, contingency plan, contingency plan test results, FIPS 199 determination, e-authentication determination,\nprivacy threshold analysis, and NIST 800-26.\n\n                             Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                       Page 10 \n\n\x0c            Eleven\n             \t       instances where system security plans were incomplete\n            as sections that describe operational and technical controls and\n            incident handling procedures were missing;\n            Twenty\n             \t        instances where the use of automated vulnerability\n            assessment tools were not documented in the risk assessments;\n            Nine\n             \t    instances where the alternate processing facilities were\n            not identified in the contingency plans for systems that were\n            categorized as high impact;\n            Eight\n             \t     instances where the contingency plans were not tested or\n            the results were not documented; and\n            Fifteen\n             \t       instances where there were no documented test results\n            from the system test and evaluation plan or the residual risks\n            were not identified in the security assessment report.\n\xe2\x80\xa2 \t We identified deficiencies in artifacts that had been validated by DHS.\n   For example, systems with expired ATO or Interim ATO were\n   validated by DHS and accepted as a current ATO. In addition, an\n   e-authentication workbook was improperly validated as support for\n   performing a FIPS-199 categorization. We also identified instances\n   where the dates reported in Trusted Agent FISMA were not the same\n   as the dates in the supporting artifacts.\n\xe2\x80\xa2 \t Twenty-eight systems were accredited without at least one of three\n   critical artifacts: risk assessment, system security plan, or security\n   assessment report. Four of the 28 lacked all three of the required\n   artifacts.\n\xe2\x80\xa2 \t Six United States Citizenship and Immigration Services (CIS) systems\n   in which one or more of the security objectives (confidentiality,\n   integrity, availability) in the FIPS 199 worksheet did not match what\n   was reported in the system security plan. The DHS CIO has not issued\n   detailed guidance to the components on how to categorize systems\n   based on the types of data being captured, processed, or maintained.\n   Therefore, there is little assurance that the accreditations by the\n   components were based on an accurate review of risks and controls\n   needed.\n\xe2\x80\xa2 \t Based on guidance provided by the CISO to the components, 80\n   systems were accredited for 1 year or less (including 24 for 6 months\n   or less). These systems should not be considered in calculating the\n   number of systems that DHS has accredited.\n\nSee Appendix G for the OIG Assessment of the C&A Process.\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                          Page 11 \n\n\x0cAgencywide Security Configuration Requirements\n\n      Although DHS has updated its baseline software security configuration\n      guides, the components have not implemented all of the required software\n      security configurations.\n\n      PROGRESS\n\n      \xe2\x80\xa2 \t DHS updated its agencywide security baseline configuration guides for\n         Windows 2000/2003/XP, Solaris, HP-UX, Linux, Cisco Routers, and\n         Oracle database servers in May 2006.\n      \xe2\x80\xa2 \t An analysis of three baseline configuration guides (Windows, Oracle,\n         and Cisco) disclosed that they provide a sufficient level of detail to\n         adequately secure basic installations of these systems.\n\n      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2 \t Baseline configuration guides had not been developed for all software\n         systems in use at DHS (for example, Windows NT, Windows Active\n         Directory).\n      \xe2\x80\xa2 \t DHS policy does not require that components use guidelines published\n         by other agencies (such as NIST, National Security Agency, and\n         Defense Information Systems Agency) for systems where DHS has not\n         developed its own baseline configuration guides.\n      \xe2\x80\xa2 \t Components have not fully implemented DHS baseline security\n         configuration requirements for all of their systems. Our review of four\n         systems at three components (Federal Emergency Management\n         Agency (FEMA), United States Immigration and Customs\n         Enforcement (ICE), and Directorate for Preparedness (Preparedness))\n         disclosed that some DHS baseline configuration requirements were not\n         implemented for their Windows and Oracle systems.\n      \xe2\x80\xa2 \t The CIO does not have a process to determine whether components\n         have implemented DHS baseline configuration requirements.\n      \xe2\x80\xa2 \t Vulnerability assessments performed at components reviewed during\n         our laptop, Radio Frequency Identification (RFID), and Transportation\n         Worker Identification Credential (TWIC) audits identified security\n         concerns resulting from inadequate password controls, patch\n         management, and configuration management. Components included\n         United States Customs and Border Protection (CBP), OIG, Science\n         and Technology (S&T), Transportation Security Administration\n\n\n\n\n       Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                Page 12 \n\n\x0c                                (TSA), and United States Visitor and Immigrant Status Indicator\n                                Technology (US-VISIT).9\n\n                           See Appendix H for information regarding DHS\xe2\x80\x99 Agencywide Security\n                           Configuration Requirements.\n\n                  Incident Detection, Handling, and Analysis Procedures\n\n                           DHS has not improved its incident detection, handling, and analysis\n                           procedures during the last year. DHS does not have a departmental\n                           vulnerability assessment program to ensure that all systems are tested at\n                           least yearly nor is there assurance that all security incidents are being\n                           reported.\n\n                           ISSUES TO BE ADDRESSED\n\n                           \xe2\x80\xa2 \t DHS\xe2\x80\x99 vulnerability assessment program has not been fully established.\n                                Therefore, DHS does not have reliable measures or a baseline to assess\n                                the results of its vulnerability scans or its penetration testing.\n                           \xe2\x80\xa2 \t Some components are not reporting incidents to the DHS Computer\n                                Security Incident Response Center (CSIRC), as required. Components\n                                are required to submit weekly incident reports. Five components\n                                (FEMA, Federal Law Enforcement Training Center (FLETC), OIG,\n                                TSA, United States Secret Service (USSS)) did not submit reports\n                                every week during a 12-week period that we reviewed.\n                           \xe2\x80\xa2 \t DHS CSIRC does not follow-up with components that do not submit\n                                weekly incident reports.\n                           \xe2\x80\xa2 \t DHS does not have detailed procedures for reporting incidents\n                                externally to law enforcement authorities. We also reported this issue\n                                in our FY 2004 and FY 2005 FISMA reports.10\n                           \xe2\x80\xa2 \t The DHS CSIRC does not have detailed procedures for reporting\n                                incidents to the United States Computer Emergency Readiness Team\n                                (US-CERT).\n                           \xe2\x80\xa2 \t DHS has not defined detailed procedures for the DHS CSIRC to\n                                perform department-wide security incident analysis. We reported a\n                                similar issue in our FY 2005 FISMA report.\n\n9\n  CBP\xe2\x80\x99s Trusted Traveler Systems Using RFID Technology Require Enhanced Security, dated May 2006 (OIG-06-36); Enhanced\nSecurity Controls Needed for US-VISIT\xe2\x80\x99s System Using RFID Technology, dated June 2006 (OIG-06-39); Improved\nAdministration Can Enhance Science and Technology Laptop Computer Security, dated June 2006 (OIG-06-42); TSA\xe2\x80\x99s\nDevelopment of Its Weapons Management System Using RFID, dated July 2006 (OIG-06-44); DHS Must Address Significant\nSecurity Vulnerabilities Prior to TWIC Implementation, dated July 2006 (OIG-06-47); Office of Inspector General Laptop\nComputers Are Susceptible To Compromise, dated September 2006 (OIG-06-58).\n10\n   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004, dated September 2004 (OIG-04-41); Evaluation of\nDHS\xe2\x80\x99 Information Security Program for Fiscal Year 2005, dated September 2005 (OIG-05-46).\n\n                             Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                        Page 13 \n\n\x0c      See Appendix I for information regarding DHS\xe2\x80\x99 Incident Detection and\n      Handling Procedures.\n\nSecurity Training Procedures\n\n      DHS has begun to validate employee training at the components. The\n      Information Security Training, Education, and Awareness Office\n      (Training Office) has not determined specific training that is needed for\n      employees with significant security responsibilities.\n\n      PROGRESS\n\n      \xe2\x80\xa2 \t The Training Office started quarterly reviews in May 2006 to validate\n         security awareness training statistics entered into Trusted Agent\n         FISMA by each component.\n      \xe2\x80\xa2 \t The Training Office reviews training materials used by the\n         components.\n\n      ISSUES TO BE ADDRESSED\n\n      \xe2\x80\xa2 \t DHS (CIO and Office of Human Capital) has not implemented a\n         department-wide web-based IT security training program (learning\n         management system) to standardize security awareness training and to\n         track the completion of security training. The learning management\n         system was originally planned to be implemented in FY 2004; but it\n         was pushed back to FY 2006. Currently, the plan is to launch the\n         system by the end of August 2006 for DHS headquarters employees\n         only. The system is expected to be fully functional (available to all\n         components) by FY 2010.\n      \xe2\x80\xa2 \t The Training Office has not established appropriate specialized\n         security training that is needed for all employees and contractors with\n         significant IT security responsibilities. While the Training Office\n         ensures that ISSMs and ISSOs obtain specialized training, it relies on\n         the components to ensure that other individuals with significant\n         security responsibilities (including system administrators, database\n         administrators, and network administrators, etc.) are properly trained.\n         We reported a similar issue in our FY 2005 FISMA report.\n      \xe2\x80\xa2 \t As of August 4, 2006, the Training Office had not begun to validate\n         specialized security training for individuals with significant IT security\n         responsibilities at each component.\n      \xe2\x80\xa2 \t Some of the FY 2005 training plans (submitted by September 1, 2005)\n         did not include all of the mandatory data elements required by the\n\n\n       Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                Page 14 \n\n\x0c               DHS Handbook. For example, training plans did not include the\n               number of employees and contractors with network accounts, dates for\n               security awareness training, the number of information systems\n               security employees, and dates for specialized training. Because the\n               FY 2006 plans are not due until September 1, 2006, we were unable to\n               determine whether these plans are adequate.\n\n            See Appendix J for information regarding DHS\xe2\x80\x99 Security Training\n            Procedures.\n\nRecommendations\n            We recommend that the DHS CIO:\n            1. \t Improve the CISO\xe2\x80\x99s review process to ensure that all POA&Ms are\n                 complete, accurate, and current. Deficiencies identified during the\n                 reviews should be corrected timely.\n            2. \t Ensure the quality of all C&A documents (complete, accurate, and\n                 properly validated) before a system is accredited by improving the\n                 artifact validation process.\n            3. \t Implement a department-wide incident analysis process and\n                 vulnerability assessment program (including baseline configuration\n                 requirements verification).\n            4. \t Ensure that all incidents are reported to the DHS CSIRC. The DHS\n                 CSIRC should follow-up with components that do not provide the\n                 required reports.\n            5. \t Develop and implement documented procedures to identify, report,\n                 and track incidents that should be forwarded to law enforcement\n                 authorities and US-CERT (for example, type of incidents to report,\n                 deadlines to report incidents, responsible agency and reporting\n                 contacts, methods to report incidents).\n            6. Establish appropriate training that is needed for all individuals with\n               significant security responsibilities; ensure that these individuals\n               complete the required training as part of the validation process\n               performed by the Training Office.\n            7. \t Identify the Department\xe2\x80\x99s information data types and their minimum\n                 FIPS 199 categorizations to assist the components in determining the\n                 necessary security controls needed for their data.\n            8. \t Ensure that configuration requirements are developed and published\n                 for all major software systems used by DHS components.\n\n\n\n\n             Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                      Page 15 \n\n\x0cManagement Comments and OIG Analysis\n             DHS agreed with recommendation 1. DHS continues to improve the\n             POA&M process and will increase its focus on POA&M quality and\n             timeliness in FY 2007.\n\n             We agree that the steps DHS plans to take satisfy this recommendation.\n\n             DHS agreed with recommendation 2. DHS recently changed the\n             personnel responsible for validating its C&A document to provide\n             additional quality assurance safeguards. Continued quality improvements\n             of its C&A documents will occur in FY 2007.\n\n             We agree that the steps DHS has taken, and plans to take, satisfy this\n             recommendation.\n\n             DHS agreed with recommendation 3. DHS plans to improve its\n             vulnerability management as part of its enterprise Network Operations\n             Center/Security Operations Center (NOC/SOC) in FY 2007. A Concept\n             of Operations (CONOPS) for the NOC/SOC, which will provide detailed\n             guidance, is under development and will be completed by March 30, 2007.\n\n             We agree that the steps DHS plans to take begin to satisfy this\n             recommendation. However, DHS did not fully address our\n             recommendation. We maintain that a department-wide incident analysis\n             process and vulnerability program should be part of the NOC/SOC.\n\n             DHS agreed with recommendation 4. DHS plans to improve its security\n             incident analysis and reporting with the implementation of its enterprise\n             NOC/SOC CONOPS in FY 2007.\n\n             We agree that the steps DHS plans to take begin to satisfy this\n             recommendation. However, DHS did not fully address our\n             recommendation. We maintain that the DHS CSIRC should ensure that all\n             incidents are reported.\n\n             DHS agreed with recommendation 5. DHS plans to improve its security\n             incident analysis and reporting with the implementation of its enterprise\n             NOC/SOC and development of a CONOPS in FY 2007.\n\n             We agree that the steps DHS plans to take satisfy this recommendation.\n\n             DHS agreed with recommendation 6. The CISO provides specialized\n             security training during its annual security conference and individuals\n             receive role-based training on a case-by-case basis.\n\n              Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                       Page 16 \n\n\x0cWe agree that the steps DHS plans to take begin to satisfy this\nrecommendation. However, DHS did not fully address our\nrecommendation. We maintain that DHS should establish appropriate\ntraining for all individuals with significant security responsibilities and\nensure that these individuals complete the required training.\n\nDHS agreed with recommendation 7. DHS will expand it process for\nreviewing and possibly add additional information types in FY 2007.\n\nWe agree that the steps DHS plans to take satisfy this recommendation.\n\nDHS agreed with recommendation 8. The Department recently issued a\nconfiguration guide for Windows NT.\n\nWe agree that the steps DHS has taken satisfy this recommendation.\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                          Page 17 \n\n\x0c              Appendix A\n              Purpose, Scope, and Methodology\n\n\n\nPurpose, Scope, and Methodology\n              The objective of this review was to determine whether DHS has developed\n              adequate and effective information security policies, procedures, and\n              practices, in compliance with FISMA. In addition, we evaluated DHS\xe2\x80\x99\n              progress in developing, managing, and implementing its information\n              security program.\n\n              Our independent evaluation focused on DHS\xe2\x80\x99 information security\n              program and practices, based on the requirements outlined in FISMA, and\n              using OMB Memorandum M-06-20, FY 2006 Reporting Instructions for\n              the Federal Information Security Management Act and Agency Privacy\n              Management, issued on July 17, 2006. We conducted our work at the\n              program level and at DHS\xe2\x80\x99 major components (CBP, CIS, DHS\n              Management, FEMA, FLETC, ICE, OIG, Preparedness, S&T, TSA,\n              United States Coast Guard (USCG), and USSS).\n\n              In addition to our independent evaluation, we conducted reviews of DHS\xe2\x80\x99\n              information systems and security program related areas throughout\n              FY 2006. This report includes results of a limited number of systems\n              evaluated during our past and on-going financial statement review, laptop\n              security, database security, RFID, TWIC program at TSA, and US-VISIT\n              security audits.\n\n              As part of our evaluation of DHS\xe2\x80\x99 compliance with FISMA, we assessed\n              DHS and its components\xe2\x80\x99 compliance with the security requirements\n              mandated by FISMA and other federal information systems security\n              policies, procedures, standards, and guidelines including NIST SP 800-37,\n              and FIPS 199. Specifically, we (1) used last year\xe2\x80\x99s FISMA independent\n              evaluation as a baseline for this year\xe2\x80\x99s review and assessed the progress\n              that DHS has made in resolving weaknesses previously identified; (2)\n              focused on reviewing DHS\xe2\x80\x99 POA&M process to ensure that all security\n              weaknesses are identified, tracked, and addressed; (3) reviewed policies,\n              procedures, and practices that DHS has at the program level and at the\n              component level; (4) evaluated processes (i.e., system inventory, C&A,\n              security training, and incident response) DHS has implemented as part of\n              its agencywide information security program; and, (5) developed our\n              independent evaluation of DHS\xe2\x80\x99 information security program.\n\n              OIG audit contractors were responsible for reviewing the quality of the\n              C&A packages for a sample of 35 systems at 10 components (CBP, CIS,\n              DHS Management, FEMA, ICE, Preparedness, S&T, TSA, USCG, and\n              USSS) to ensure that all of the required documents were completed prior\n              to being accredited.\n\n\n               Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                        Page 18 \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\nWe conducted our evaluation between May and September 2006 under the\nauthority of the Inspector General Act of 1978, as amended, and according\nto the Quality Standards for Inspections issued by the President\xe2\x80\x99s Council\non Integrity and Efficiency. Major OIG contributors to the evaluation are\nidentified in Appendix K.\n\nThe principal OIG points of contact for the evaluation are Frank Deffer,\nAssistant Inspector General, Office of Information Technology at\n(202) 254-4100 and Edward G. Coleman, Director, Information Security\nAudits Division at (202) 254-5444.\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                          Page 19 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                          Page 20 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                          Page 21 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                          Page 22 \n\n\x0cAppendix B\nManagement Response to Draft Report\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                          Page 23 \n\n\x0cAppendix C\nDigital Dashboard Example\n\n\n\n\n    FOR ILLUSTRATION PURPOSES ONLY\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                          Page 24 \n\n\x0cAppendix C\nDigital Dashboard Example\n\n\n\n      FOR ILLUSTRATION PURPOSES ONLY\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                          Page 25 \n\n\x0cAppendix D\nIT Security Scorecard and C&A Remediation Progress Report for July 2006\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                      Page 26 \n\n\x0c                                  Appendix E\n                                  System Inventory and IT Security Performance\n\n\n\n                                                                Question 1 and 2 \xe2\x80\x93 System Inventory and IT Security Performance\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an\nagency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n                   To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n                   1) Continue to use NIST Special Publication 800-26, or,\n                   2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n              Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self-reporting by contractors does not meet\n              the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n2. For each part of this question, identify actual performance over the past fiscal year by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated, identify\nthe number of systems, which have completed the following: have a current certification and accreditation, a contingency plan tested within the past year, and security controls tested within the past year.\n\n\n                                                                     Question 1                                                                                        Question 2\n                                         a.                         b.                             c.                                a.                             b.                        c.\n                                   Agency Systems           Contractor Systems           Total Number of Systems         Number of systems certified Number of systems for which    Number of systems for\n                                                                                                                              and accredited          security controls have been  which contingency plans\n                                                                                                                                                      tested and evaluated in the    have been tested in\n                                                                                                                                                                last year         accordance with policy and\n                                                                                                                                                                                          guidance\n                                    (a)                        (a)\nBureau       FIPS 199 Risk         Total        Number       Total        Number            (a)           Number                                                 Total\nName         Impact Level         Number       Reviewed     Number       Reviewed     Total Number       Reviewed         Total Number     Percent of Total     Number        Percent of Total    Total Number Percent of Total\nCBP         High                                   4                         0                                4                 4               100.0%             3                75.0%                3              75.0%\n            Moderate                               9                         0                                9                 6                66.7%             5                55.6%                1              11.1%\n            Sub-total                             13                         0                               13                 10               76.9%             8               61.5%                 4              30.8%\nCIS         Moderate                               2                         2                                4                 3                75.0%             2                50.0%                1              25.0%\n            Sub-total                              2                         2                                4                 3                75.0%             2               50.0%                 1              25.0%\nFEMA        High                                   4                         0                                4                 2                50.0%             3                75.0%                2              50.0%\n            Moderate                               0                         1                                1                 1               100.0%             0                0.0%                 1             100.0%\n            Sub-total                              4                         1                                5                 3                60.0%             3               60.0%                 3              60.0%\nFLETC       Moderate                               2                         0                                2                 2               100.0%             2               100.0%                0              0.0%\n            Sub-total                              2                          0                               2                 2               100.0%             2               100.0%                0              0.0%\nICE         High                                   1                         2                                3                 2                66.7%             2                66.7%                3             100.0%\n            Moderate                               1                         1                                2                 2               100.0%             0                0.0%                 1              50.0%\n            Sub-total                              2                         3                                5                 4                80.0%             2               40.0%                 4              80.0%\n\n\n\n\n                                                                         Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                                                                           Page 27 \n\n\x0c                               Appendix E\n                               System Inventory and IT Security Performance\n\n\n\n\n                                 (a)                 (a)\nBureau         FIPS 199 Risk    Total     Number     Total     Number         (a)        Number                                        Total\nName           Impact Level    Number    Reviewed   Number    Reviewed   Total Number   Reviewed    Total Number   Percent of Total   Number   Percent of Total   Total Number Percent of Total\nInfrastructure High                         0                    2                         2             1              50.0%           1           50.0%              1             50.0%\n              Moderate                      1                    0                         1             1             100.0%           1          100.0%              1            100.0%\n              Sub-total                     1                    2                         3             2              66.7%           2           66.7%              2             66.7%\nOIG           High                          2                    0                         2             1              50.0%           1           50.0%              0             0.0%\n              Sub-total                     2                    0                         2             1              50.0%           1           50.0%              0             0.0%\nPreparedness High                           2                    2                         4             3              75.0%           3           75.0%              3             75.0%\n              Moderate                      1                    0                         1             0              0.0%            0           0.0%               0             0.0%\n              Sub-total                     3                    2                         5             3              60.0%           3           60.0%              3             60.0%\nS&T           High                          2                    1                         3             3             100.0%           2           66.7%              3            100.0%\n              Moderate                      1                    0                         1             1             100.0%           1          100.0%              1            100.0%\n              Sub-total                     3                    1                         4             4             100.0%           3           75.0%              4            100.0%\nTSA           High                          1                    1                         2             1              50.0%           2          100.0%              1             50.0%\n              Moderate                      3                    1                         4             4             100.0%           3           75.0%              2             50.0%\n              Low                           1                    0                         1             1             100.0%           1          100.0%              1            100.0%\n              Sub-total                     5                    2                         7             6              85.7%           6           85.7%              4             57.1%\nUS-VISIT      Moderate                      1                    0                         1             1             100.0%           1          100.0%              1            100.0%\n              Sub-total                     1                    0                         1             1             100.0%           1          100.0%              1            100.0%\nUSCG          High                          2                    1                         3             2              66.7%           2           66.7%              3            100.0%\n              Moderate                      5                    0                         5             5             100.0%           4           80.0%              1             20.0%\n              Sub-total                     7                    1                         8             7              87.5%           6           75.0%              4             50.0%\nUSSS          High                          3                    0                         3             3             100.0%           3          100.0%              1             33.3%\n              Sub-total                     3                    0                         3             3             100.0%           3          100.0%              1             33.3%\nAgency\nTotals        High                          21                   9                         30            22             73.3%           22          73.3%              20            66.7%\n              Moderate                      26                   5                         31            23             74.2%           17          54.8%              9             29.0%\n              Low                           1                    0                         1             1             100.0%           1          100.0%              1            100.0%\n\n              Total                         48                   14                        62           46             74.2%            40         64.5%               30           48.4%\n\nComments:\n(a)\t We are reporting the number of systems that we reviewed, therefore the total number and number reviewed are the same. See the CIO\xe2\x80\x99s report for the total number of systems\n     for each component.\n(b) The number of systems certified and accredited is based on an ATO letter, not on the adequacy of the documents required.\n\n\n\n\n                                                             Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                                                        Page 28 \n\n\x0c                             Appendix E\n                             System Inventory and IT Security Performance\n\n\n                            Question 3 \xe2\x80\x93 System Inventory and IT Security Performance\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n            The agency performs oversight and evaluation to ensure information\n            systems used or operated by a contractor of the agency or other\n            organization on behalf of the agency meet the requirements of FISMA,\n            OMB policy and NIST guidelines, national security policy, and agency\n            policy. Self-reporting of NIST Special Publication 800-26 and/or NIST\n            800-53 requirements by a contractor or other organization is not sufficient,\n            however, self-reporting by another Federal agency may be sufficient.          - Almost Always, for example, approximately\n    3.a.                                                                                                     (a)\n                                                                                         96-100% of the time\n            Response Categories:\n                    Rarely, for example, approximately 0-50% of the time\n                  - Sometimes, for example, approximately 51-70% of the time\n                    Frequently, for example, approximately 71-80% of the time\n                    Mostly, for example, approximately 81-95% of the time\n                    Almost Always, for example, approximately 96-100% of the time\n            The agency has developed an inventory of major information systems\n            (including major national security systems) operated by or under the\n            control of such agency, including an identification of the interfaces\n            between each such system and all other systems or networks, including\n            those not operated by or under the control of the agency.\n   3.b.1                                                                                      Approximately 96-100% complete\n            Response Categories:\n                   Approximately 0-50% complete\n                   Approximately 51-70% complete\n                   Approximately 71-80% complete\n                   Approximately 81-95% complete\n                   Approximately 96-100% complete\n\n\n            If the Agency IG does not evaluate the Agency's inventory as 96-100%\n   3.b.2                                                                                                   N/A\n            complete, please list the systems that are missing from the inventory.\n\n\n\n            The OIG generally agrees with the CIO on the number of agency owned\n    3.c.                                                                                                    Yes\n            systems.\n\n            The OIG generally agrees with the CIO on the number of information\n    3.d.    systems used or operated by a contractor of the agency or other                                 Yes\n            organization on behalf of the agency.\n\n    3.e.    The agency inventory is maintained and updated at least annually.                               Yes\n\n\n    3.f.    The agency has completed system e-authentication risk assessments.                              Yes\n\n\nComments:\n(a)\t DHS requires contractor systems to be evaluated in the same manner as agency owned systems. As of\n     September 15, 2006, 96 percent of contractor systems have been reviewed, based on the completion of the\n     components\xe2\x80\x99 NIST 800-26 self-assessment. This response is a result of DHS\xe2\x80\x99 reported performance metrics.\n     The OIG has not evaluated the quality of the assessments performed.\n\n\n\n\n                               Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                            Page 29 \n\n\x0c                              Appendix F\n                              OIG Assessment of the POA&M Process\n\n\n                                Question 4 \xe2\x80\x93 OIG Assessment of the POA&M Process\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing\nan agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which the following statements reflect the\nstatus in your agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include\ncomments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n        Rarely, for example, approximately 0-50% of the time\n      - Sometimes, for example, approximately 51-70% of the time\n        Frequently, for example, approximately 71-80% of the time\n        Mostly, for example, approximately 81-95% of the time\n        Almost Always, for example, approximately 96-100% of the time\n\n                The POA&M is an agency wide process,\n                incorporating all known IT security weaknesses\n                                                                      - Almost Always, for example, approximately 96-100% of the\n      4.a.      associated with information systems used or operated      (a)\n                                                                     time\n                by the agency or by a contractor of the agency or\n                other organization on behalf of the agency.\n                When an IT security weakness is identified, program\n                officials (including CIOs, if they own or operate a - Sometimes, for example, approximately 51-70% of the time\n      4.b.\n                system) develop, implement, and manage POA&Ms (b)\n                for their system(s).\n\n                Program officials, including contractors, report to the\n                                                                         - Frequently, for example, approximately 71-80% of the time\n      4.c.      CIO on a regular basis (at least quarterly) on their    (c)\n                remediation progress.\n\n                CIO centrally tracks, maintains, and reviews\n      4.d.                                                               - Mostly, for example, approximately 81-95% of the time (d)\n                POA&M activities on at least a quarterly basis.\n\n                OIG findings are incorporated into the POA&M\n      4.e.                                                            - Mostly, for example, approximately 81-95% of the time (e)\n                process.\n                POA&M process prioritizes IT security weaknesses\n                to help ensure significant IT security weaknesses are - Sometimes, for example, approximately 51-70% of the time\n      4.f.\n                addressed in a timely manner and receive appropriate (f)\n                resources\nComments:\n(a)\t DHS requires all known IT security weaknesses be included in Trusted Agent FISMA.\n(b) DHS requires components to create POA&Ms for all IT security weaknesses. A       \t s of June 8, 2006, 55 percent of\n      the operational systems had a POA&M in Trusted Agent FISMA. We reviewed 27 operational systems that had\n      not been accredited and found 18 systems (67 percent) that did not have at least one POA&M (lack of a\n      completed C&A). In addition, many of the POA&Ms did not contain all required information, such as\n      resources required for remediation.\n(c)\t DHS components are required to update all information in their POA&Ms at least monthly. However, as of\n      June 8, 2006, 13 percent of open POA&Ms had estimated completion dates that were at least 3 months past due\n      (prior to March 8, 2006), including 37 that had estimated completion dates more than 1 year old. In addition,\n      not all IT security weaknesses are being reported.\n(d) The CIO conducts quarterly reviews of the POA&Ms for status and completion and issues reports to the\n      components. However, the CIO relies on the components to correct and update the POA&Ms based on the\n      findings in the reports.\n(e) \t The CIO requires all OIG findings be included in each component\xe2\x80\x99s POA&M. We noted that most of the\n      FY 2006 OIG findings were incorporated into a POA&M.\n(f) \t DHS established new POA&M weakness priority levels in August 2006 for program officials to use to prioritize\n      IT security weaknesses. The CISO has not begun to use the priority levels to ensure the timely resolution of\n      critical weaknesses.\n\n\n                                Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                             Page 30 \n\n\x0c                          Appendix G\n                          OIG Assessment of the C&A Process\n\n\n                             Question 5 \xe2\x80\x93 OIG Assessment of the C&A Process\n\n OIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative\n assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing policy,\n guidance, and standards. Agencies shall follow NIST Special Publication 800-37, Guide for the Security\n Certification and Accreditation of Federal Information Systems (May 2004) for certification and accreditation\n work initiated after May 2004. This includes use of the FIPS 199 (February 2004), Standards for Security\n Categorization of Federal Information and Information Systems, to determine an impact level, as well as associated\n NIST documents used as guidance for completing risk assessments and security plans.\n\n\n\n              Assess the overall quality of the Department's\n              certification and accreditation process.\n\n              Response Categories:\n                                                                                          (a)\n                   - Excellent                                             Satisfactory\n                   - Good\n                   - Satisfactory\n                   - Poor\n                   - Failing\n\n\nComments:\n(a)\t DHS has implemented a good C&A process. DHS uses a department-wide tool that incorporates NIST security\n     controls to certify and accredit all systems. The CIO requires all components to use this tool. Components are\n     required to apply NIST 800-53 security controls for all system certifications begun after June 1, 2006.\n     However, for many systems, the artifacts that are required to C&A a system were either missing or incomplete.\n     Our review of 35 C&A packages at 10 components found 27 instances in which accreditation packages were\n     incomplete. Specifically, systems were accredited, although some security documents were missing key\n     information that is required to meet all applicable DHS, OMB, and NIST guidelines.\n\n\n\n\n                            Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                      Page 31 \n\n\x0c                          Appendix H\n                          Agencywide Security Configuration Requirements\n\n\n                     Question 6 \xe2\x80\x93 Agencywide Security Configuration Requirements\n\n                            Is there an agency wide security configuration\n            6.a.            policy?                                                             Yes\n                            Yes or No.\n    Comments: DHS has included in its agency-wide policy the requirement that all components ensure that the\n    installation of hardware and software products meet the requirements specified in applicable DHS secure\n    baseline configuration guides. However, DHS has not developed configuration guides for all hardware and\n    software systems being used by its components.\n                              Configuration guides are available for the products listed below. Identify which\n                              software is addressed in the agency wide security configuration policy. Indicate\n             6.b.             whether or not any agency systems run the software. In addition, approximate the\n                              extent of implementation of the security configuration policy on the systems running\n                              the software.\n\n                                                                              Approximate the extent of\n                                                                              implementation of the security\n                                                                              configuration policy on the systems\n                                                                              running the software.\n\n                                                                              Response choices include:\n                                                                              - Rarely, or, on approximately 0-50% of\n                                                                              the systems running this software\n                                                                              - Sometimes, or on approximately\n                                                                              51-70% of the systems running this\n                                                                              software\n                                                                              - Frequently, or on approximately\n          Product                                                             71-80% of the systems running this\n                                                                              software\n                                  Addressed in      Do any agency systems run - Mostly, or on approximately 81-95%\n                               agencywide policy?         this software?      of the systems running this software\n                                                                              - Almost Always, or on approximately\n                                                                              96-100% of the systems running this\n                                    Yes, No,                                  software\n                                    or N/A.                 Yes or No.\nWindows XP Professional               Yes                       Yes\nWindows NT                            No                        Yes\nWindows 2000 Professional             Yes                       Yes\nWindows 2000 Server                   Yes                       Yes\nWindows 2003 Server                   Yes                       Yes\n                                                                                                (a)\nSolaris                               Yes                       Yes\nHP-UX                                 Yes                       Yes\nLinux                                 Yes                       Yes\nCisco Router IOS                      Yes                       Yes\nOracle                                Yes                       Yes\nOther: SQL Server                     Yes                       Yes\nComments:\n(a)\t Many of the components use standard configurations for their systems, but have not fully implemented DHS'\n     baseline configuration guides. In addition, the CIO has not verified or determined whether components are in\n     compliance with DHS baseline configurations (or other system configuration guides).\n\n\n\n\n                            Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006\n\n                                                      Page 32\n\x0c                           Appendix I\n                           Incident Detection and Handling Procedures\n\n\n\n                     Question 7 \xe2\x80\x93 Incident Detection and Handling Procedures\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or\nnecessary, include comments in the area provided below.\n\n          The agency follows documented policies and procedures for\n                                                                                                      (a)\n   7.a.   identifying and reporting incidents internally.                                       Yes\n          Yes or No.\n\n          The agency follows documented policies and procedures for external\n                                                                                                      (b)\n   7.b.   reporting to law enforcement authorities.                                             No\n          Yes or No.\n\n          The agency follows defined procedures for reporting to the United\n   7.c.   States Computer Emergency Readiness Team (US-CERT).                                     Yes\n          Yes or No.\n\nComments:\n(a)\t While DHS requires components to submit weekly incident reports, during a 12-week period in FY 2006, five\n     major components (FEMA, FLETC, OIG, TSA, USSS) did not submit reports every week. In addition, the\n     DHS CSIRC does not follow-up with the components to ensure that all incidents are being reported.\n(b) We again determined that DHS does not have detailed documented procedures for reporting incidents to law\n    enforcement authorities.\n\n\n\n\n                            Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                       Page 33 \n\n\x0c                            Appendix J\n                            Security Training Procedures\n\n\n\n\n                               Question 8 \xe2\x80\x93 Security Training Procedures\n            Has the agency ensured security training and awareness of all \n\n            employees, including contractors and those employees with\n\n            significant IT security responsibilities?\n\n\n            Response Choices include:\n            - Rarely, or, approximately 0-50% of employees have sufficient\n\n            training\n\n                                                                             - Frequently, or, approximately 71\n             - Sometimes, or approximately 51-70% of employees have\n                                                                             80% of employees have sufficient\n            sufficient training\n                                                                             training\n\n             - Frequently, or approximately 71-80% of employees have\n            sufficient training \n\n             - Mostly, or approximately 81-95% of employees have sufficient\n\n            training\n\n             - Almost Always, or approximately 96-100% of employees have\n\n            sufficient training \n\n\n\nComments: The Training Office has begun a validation process to ensure that the components provide IT security\nawareness training to its employees. As of August 4, 2006, the Training Office has not begun validating training for\nemployees with significant IT security responsibilities. In addition, the Training Office has not established the\nappropriate security training that is needed for all individuals with significant IT security responsibilities (including\nnetwork, database and system administrators).\n\n\n\n                               Question 9 \xe2\x80\x93 Security Training Procedures\n\n           Does the agency explain policies regarding peer-to-peer file\n           sharing in IT security awareness training, ethics training, or any\n                                                                                                  Yes\n           other agency wide training?\n           Yes or No.\n\n\nComments: Two components (FLETC, USCG) did not explain DHS\xe2\x80\x99 policy regarding peer-to-peer file sharing risks\nduring its IT security awareness training.\n\n\n\n\n                             Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006 \n\n\n                                                        Page 34 \n\n\x0cAppendix K\nMajor Contributors to this Report\n\n\n\n\nInformation Security Audit Division\n\nEdward G. Coleman, Director\nJeff Arman, Audit Manager\nChiu-Tong Tsang, Senior IT Auditor\nTarsha Ross, Senior IT Auditor\nCharles Twitty, IT Auditor\nSwati Mahajan, IT Specialist\nMichael Horton, Referencer\n\nAdvanced Technology Division\n\nEric Baechle, Senior Security Engineer\nMichael Goodman, Security Engineer\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006\n\n                           Page 35\n\x0cAppendix L\nReport Distribution\n\n\n\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nAssistant Secretary, Legislative and Intergovernmental Affairs\nAssistant Secretary, Policy\nAssistant Secretary, Public Affairs\nChief Information Officer\nChief Financial Officer\nChief Privacy Officer\nChief Human Capital Officer\nChief Information Security Officer\nDirector, Departmental GAO/OIG Liaison Office\nDirector, Compliance and Oversight Program, Office of CIO\nChief Information Officer Audit Liaison\nComponent ISSMs\nComponent CIOs\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for FY 2006\n\n                            Page 36\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse, or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to DHS Office of\nInspector General/MAIL STOP 2600, Attention: Office of Investigations \xe2\x80\x93\nHotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528; fax\nthe complaint to (202) 254-4292; or email DHSOIGHOTLINE@dhs.gov. The\nOIG seeks to protect the identity of each writer and caller.\n\x0c"